Information about collected data
freeRASP collects anonymized security diagnostics data from apps. These data contain:
Application state and security.
Device state and security.
Anonymous app instance ID and device ID.
This information allows Talsec to provide a security report, improve the freeRASP product and even the commercial RASP SDK, or prepare mobile security reports and articles.
Data collection can be disabled or configured to a custom customer-owned logging service in premium plans of Talsec.
All the data collected by the freeRASP is technical diagnostics information and anonymous, but depending on the regulations applied, it could be considered sensitive and/or personal data.
Talsec recommends adding the statement below to the dedicated privacy policy page of your app. You can also use the text below while filling in the Google Play Safety Section or similar for Apple App Store publishing.
Google Play requires all app publishers to declare how they collect and handle user data for the apps they publish on Google Play. They should inform users properly of the data collected by the apps and how the data is shared and processed. Google will reject the apps which do not comply with the policy.
More about Google Play's Data safety here.
The checks for the Google Play and details about data are specified above in #privacy-policy-statement.
Apple requires that all app developers disclose their data collection and handling practices for apps published on the App Store. Developers must clearly inform users about the data their apps collect, as well as how this data is shared and processed. Apps that do not adhere to Apple's data privacy guidelines will be rejected.
More about Apple App privacy here.
To comply with the policy, in the App Privacy section, it is important to check the following:
Identifiers -> Device ID -> App Functionality
It is an anonymous device identifier for the App vendor as per: https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor
Talsec Security SDK can not link the device identifier to the user
Diagnostics -> Performance Data -> App Functionality, Other Purposes, No for linking to the user
Diagnostics -> Other diagnostics data -> App Functionality, Other Purposes, No for linking to the user
Other data -> App Functionality, No for linking to the user
Security diagnostics data (such as jailbreak)
Google Play’s User Data policy indicates that a prominent disclosure should be presented to the users in case of an app collecting personal or sensitive data.
Although freeRASP collects diagnostical data (anonymous and not user-related), you (as the app publisher) should consider adding a disclosure screen, describing why the security diagnostic data is needed, what data, and how the data is used.
More about Google's best practices for prominent disclosure and consent here.